search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add sslCAFile option to DatabaseMysqli
[mediawiki.git] / includes / user / PasswordReset.php
blobdd16fb78ba31655c135073ac106342ec1a5a4695
1 <?php
2 /**
3 * User password reset helper for MediaWiki.
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License as published by
7 * the Free Software Foundation; either version 2 of the License, or
8 * (at your option) any later version.
9 *
10 * This program is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 * GNU General Public License for more details.
14 *
15 * You should have received a copy of the GNU General Public License along
16 * with this program; if not, write to the Free Software Foundation, Inc.,
17 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18 * http://www.gnu.org/copyleft/gpl.html
19 *
20 * @file
21 */
22
23 use MediaWiki\Auth\AuthManager;
24 use MediaWiki\Auth\TemporaryPasswordAuthenticationRequest;
25 use Psr\Log\LoggerAwareInterface;
26 use Psr\Log\LoggerInterface;
27 use MediaWiki\Logger\LoggerFactory;
28
29 /**
30 * Helper class for the password reset functionality shared by the web UI and the API.
31 *
32 * Requires the TemporaryPasswordPrimaryAuthenticationProvider and the
33 * EmailNotificationSecondaryAuthenticationProvider (or something providing equivalent
34 * functionality) to be enabled.
35 */
36 class PasswordReset implements LoggerAwareInterface {
37 /** @var Config */
38 protected $config;
39
40 /** @var AuthManager */
41 protected $authManager;
42
43 /** @var LoggerInterface */
44 protected $logger;
45
46 /**
47 * In-process cache for isAllowed lookups, by username.
48 * Contains a StatusValue object
49 * @var HashBagOStuff
50 */
51 private $permissionCache;
52
53 public function __construct( Config $config, AuthManager $authManager ) {
54 $this->config = $config;
55 $this->authManager = $authManager;
56 $this->permissionCache = new HashBagOStuff( [ 'maxKeys' => 1 ] );
57 $this->logger = LoggerFactory::getInstance( 'authentication' );
58 }
59
60 /**
61 * Set the logger instance to use.
62 *
63 * @param LoggerInterface $logger
64 * @since 1.29
65 */
66 public function setLogger( LoggerInterface $logger ) {
67 $this->logger = $logger;
68 }
69
70 /**
71 * Check if a given user has permission to use this functionality.
72 * @param User $user
73 * @param bool $displayPassword If set, also check whether the user is allowed to reset the
74 * password of another user and see the temporary password.
75 * @since 1.29 Second argument for displayPassword removed.
76 * @return StatusValue
77 */
78 public function isAllowed( User $user ) {
79 $status = $this->permissionCache->get( $user->getName() );
80 if ( !$status ) {
81 $resetRoutes = $this->config->get( 'PasswordResetRoutes' );
82 $status = StatusValue::newGood();
83
84 if ( !is_array( $resetRoutes ) ||
85 !in_array( true, array_values( $resetRoutes ), true )
86 ) {
87 // Maybe password resets are disabled, or there are no allowable routes
88 $status = StatusValue::newFatal( 'passwordreset-disabled' );
89 } elseif (
90 ( $providerStatus = $this->authManager->allowsAuthenticationDataChange(
91 new TemporaryPasswordAuthenticationRequest(), false ) )
92 && !$providerStatus->isGood()
93 ) {
94 // Maybe the external auth plugin won't allow local password changes
95 $status = StatusValue::newFatal( 'resetpass_forbidden-reason',
96 $providerStatus->getMessage() );
97 } elseif ( !$this->config->get( 'EnableEmail' ) ) {
98 // Maybe email features have been disabled
99 $status = StatusValue::newFatal( 'passwordreset-emaildisabled' );
100 } elseif ( !$user->isAllowed( 'editmyprivateinfo' ) ) {
101 // Maybe not all users have permission to change private data
102 $status = StatusValue::newFatal( 'badaccess' );
103 } elseif ( $this->isBlocked( $user ) ) {
104 // Maybe the user is blocked (check this here rather than relying on the parent
105 // method as we have a more specific error message to use here and we want to
106 // ignore some types of blocks)
107 $status = StatusValue::newFatal( 'blocked-mailpassword' );
108 }
109
110 $this->permissionCache->set( $user->getName(), $status );
111 }
112
113 return $status;
114 }
115
116 /**
117 * Do a password reset. Authorization is the caller's responsibility.
118 *
119 * Process the form. At this point we know that the user passes all the criteria in
120 * userCanExecute(), and if the data array contains 'Username', etc, then Username
121 * resets are allowed.
122 *
123 * @since 1.29 Fourth argument for displayPassword removed.
124 * @param User $performingUser The user that does the password reset
125 * @param string $username The user whose password is reset
126 * @param string $email Alternative way to specify the user
127 * @return StatusValue Will contain the passwords as a username => password array if the
128 * $displayPassword flag was set
129 * @throws LogicException When the user is not allowed to perform the action
130 * @throws MWException On unexpected DB errors
131 */
132 public function execute(
133 User $performingUser, $username = null, $email = null
134 ) {
135 if ( !$this->isAllowed( $performingUser )->isGood() ) {
136 throw new LogicException( 'User ' . $performingUser->getName()
137 . ' is not allowed to reset passwords' );
138 }
139
140 $resetRoutes = $this->config->get( 'PasswordResetRoutes' )
141 + [ 'username' => false, 'email' => false ];
142 if ( $resetRoutes['username'] && $username ) {
143 $method = 'username';
144 $users = [ User::newFromName( $username ) ];
145 $email = null;
146 } elseif ( $resetRoutes['email'] && $email ) {
147 if ( !Sanitizer::validateEmail( $email ) ) {
148 return StatusValue::newFatal( 'passwordreset-invalidemail' );
149 }
150 $method = 'email';
151 $users = $this->getUsersByEmail( $email );
152 $username = null;
153 } else {
154 // The user didn't supply any data
155 return StatusValue::newFatal( 'passwordreset-nodata' );
156 }
157
158 // Check for hooks (captcha etc), and allow them to modify the users list
159 $error = [];
160 $data = [
161 'Username' => $username,
162 'Email' => $email,
163 ];
164 if ( !Hooks::run( 'SpecialPasswordResetOnSubmit', [ &$users, $data, &$error ] ) ) {
165 return StatusValue::newFatal( Message::newFromSpecifier( $error ) );
166 }
167
168 if ( !$users ) {
169 if ( $method === 'email' ) {
170 // Don't reveal whether or not an email address is in use
171 return StatusValue::newGood( [] );
172 } else {
173 return StatusValue::newFatal( 'noname' );
174 }
175 }
176
177 $firstUser = $users[0];
178
179 if ( !$firstUser instanceof User || !$firstUser->getId() ) {
180 // Don't parse username as wikitext (T67501)
181 return StatusValue::newFatal( wfMessage( 'nosuchuser', wfEscapeWikiText( $username ) ) );
182 }
183
184 // Check against the rate limiter
185 if ( $performingUser->pingLimiter( 'mailpassword' ) ) {
186 return StatusValue::newFatal( 'actionthrottledtext' );
187 }
188
189 // All the users will have the same email address
190 if ( !$firstUser->getEmail() ) {
191 // This won't be reachable from the email route, so safe to expose the username
192 return StatusValue::newFatal( wfMessage( 'noemail',
193 wfEscapeWikiText( $firstUser->getName() ) ) );
194 }
195
196 // We need to have a valid IP address for the hook, but per T20347, we should
197 // send the user's name if they're logged in.
198 $ip = $performingUser->getRequest()->getIP();
199 if ( !$ip ) {
200 return StatusValue::newFatal( 'badipaddress' );
201 }
202
203 Hooks::run( 'User::mailPasswordInternal', [ &$performingUser, &$ip, &$firstUser ] );
204
205 $result = StatusValue::newGood();
206 $reqs = [];
207 foreach ( $users as $user ) {
208 $req = TemporaryPasswordAuthenticationRequest::newRandom();
209 $req->username = $user->getName();
210 $req->mailpassword = true;
211 $req->caller = $performingUser->getName();
212 $status = $this->authManager->allowsAuthenticationDataChange( $req, true );
213 if ( $status->isGood() && $status->getValue() !== 'ignored' ) {
214 $reqs[] = $req;
215 } elseif ( $result->isGood() ) {
216 // only record the first error, to avoid exposing the number of users having the
217 // same email address
218 if ( $status->getValue() === 'ignored' ) {
219 $status = StatusValue::newFatal( 'passwordreset-ignored' );
220 }
221 $result->merge( $status );
222 }
223 }
224
225 $logContext = [
226 'requestingIp' => $ip,
227 'requestingUser' => $performingUser->getName(),
228 'targetUsername' => $username,
229 'targetEmail' => $email,
230 'actualUser' => $firstUser->getName(),
231 ];
232
233 if ( !$result->isGood() ) {
234 $this->logger->info(
235 "{requestingUser} attempted password reset of {actualUser} but failed",
236 $logContext + [ 'errors' => $result->getErrors() ]
237 );
238 return $result;
239 }
240
241 $passwords = [];
242 foreach ( $reqs as $req ) {
243 $this->authManager->changeAuthenticationData( $req );
244 }
245
246 $this->logger->info(
247 "{requestingUser} did password reset of {actualUser}",
248 $logContext
249 );
250
251 return StatusValue::newGood( $passwords );
252 }
253
254 /**
255 * Check whether the user is blocked.
256 * Ignores certain types of system blocks that are only meant to force users to log in.
257 * @param User $user
258 * @return bool
259 * @since 1.30
260 */
261 protected function isBlocked( User $user ) {
262 $block = $user->getBlock() ?: $user->getGlobalBlock();
263 if ( !$block ) {
264 return false;
265 }
266 $type = $block->getSystemBlockType();
267 if ( in_array( $type, [ null, 'global-block' ], true ) ) {
268 // Normal block. Maybe it was meant for someone else and the user just needs to log in;
269 // or maybe it was issued specifically to prevent some IP from messing with password
270 // reset? Go out on a limb and use the registration allowed flag to decide.
271 return $block->prevents( 'createaccount' );
272 } elseif ( $type === 'proxy' ) {
273 // we disallow actions through proxy even if the user is logged in
274 // so it makes sense to disallow password resets as well
275 return true;
276 } elseif ( in_array( $type, [ 'dnsbl', 'wgSoftBlockRanges' ], true ) ) {
277 // these are just meant to force login so let's not prevent that
278 return false;
279 } else {
280 // some extension - we'll have to guess
281 return true;
282 }
283 }
284
285 /**
286 * @param string $email
287 * @return User[]
288 * @throws MWException On unexpected database errors
289 */
290 protected function getUsersByEmail( $email ) {
291 $res = wfGetDB( DB_REPLICA )->select(
292 'user',
293 User::selectFields(),
294 [ 'user_email' => $email ],
295 __METHOD__
296 );
297
298 if ( !$res ) {
299 // Some sort of database error, probably unreachable
300 throw new MWException( 'Unknown database error in ' . __METHOD__ );
301 }
302
303 $users = [];
304 foreach ( $res as $row ) {
305 $users[] = User::newFromRow( $row );
306 }
307 return $users;
308 }
309 }
MediaWiki Core